Class RestGuard

Direct Known Subclasses:
AdminGuard, RoleBasedRestGuard

public abstract class RestGuard extends Object
REST method guard.
Implements a guard mechanism for REST method calls that allows requests to be rejected before invocation of the REST method. For example, guards can be used to ensure that only administrators can call certain methods.

Guards are applied to REST methods declaratively through the @Rest(guards) or @RestOp(guards) annotations.

If multiple guards are specified, ALL guards must pass in order for the request to proceed.

How to implement
Typically, guards will be used for permissions checking on the user making the request, but it can also be used for other purposes like pre-call validation of a request.

Implementers should simply throw a BasicHttpException from the guard(RestRequest, RestResponse) method to abort processing on the current request.

Guards must implement a no-args constructor.

Example usage:

public MyResource extends BasicRestServlet { // Delete method with guard that only allows Billy to call it. @RestDelete(guards=BillyGuard.class) public doDelete(RestRequest req, RestResponse res) throws Exception {...} }

Example implementation:

// Define a guard that only lets Billy make a request public BillyGuard extends RestGuard { @Override public boolean isRequestAllowed(RestRequest req) { return req.getUserPrincipal().getName().contains("Billy"); } }

See Also:
  • Constructor Details

  • Method Details

    • guard

      public boolean guard(RestRequest req, RestResponse res) throws BasicHttpException
      Checks the current HTTP request and throws a BasicHttpException if the guard does not permit the request.

      By default, throws an SC_FORBIDDEN exception if isRequestAllowed(RestRequest) returns false.

      Subclasses are free to override this method to tailor the behavior of how to handle unauthorized requests.

      req - The servlet request.
      res - The servlet response.
      true if request can proceed. Specify false if you're doing something like a redirection to a login page.
      BasicHttpException - Thrown to abort processing on current request.
    • isRequestAllowed

      public abstract boolean isRequestAllowed(RestRequest req)
      Returns true if the specified request can pass through this guard.
      req - The servlet request.
      true if the specified request can pass through this guard.